[LSM Stacking] SELinux policy inside container affects a process on Host
Leesoo Ahn
lsahn at wewakecorp.com
Thu Jul 6 05:12:41 UTC 2023
Hello! Here is another weird behavior of lsm stacking..
test env
- Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
- boot param: lsm=apparmor,selinux
- AppArmor (Host) + SELinux (LXD Container Fedora 36)
In the test environment mentioned above and applying selinux policy
enforcing by running "setenforce 1" within the container, executing the
following command on the host will result in "Permission denied" output.
root at stack-v6:/home/lsahn# insmod
/lib/modules/6.2.0-20-generic/kernel/net/netfilter/nft_ct.ko
insmod: ERROR: could not insert module
/lib/modules/6.2.0-20-generic/kernel/net/netfilter/nft_ct.ko: Permission
denied
In dmesg, the following kernel log is displayed,
[ +0.000003] audit: type=1400 audit(1688619411.654:1072): avc: denied
{ module_load } for pid=67703 comm="insmod"
path="/usr/lib/modules/6.2.0-20-generic/kernel/net/netfilter/nft_ct.ko"
dev="sda2" ino=1444804 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=system permissive=0
I have the following questions by the results:
- Why the policy applied within the container affects the host? and
whether it is a bug or not.
- If this is a bug, I'm curious about where to start the analysis. It
would be helpful if you could provide relevant resources or links.
best regards,
Leesoo
More information about the Linux-security-module-archive
mailing list